c15t 2.0.0-rc.8 → 2.0.0

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # c15t
 
+## 2.0.0
+
+### Major Changes
+
+- 32617c9: Changelog available at https://c15t.com/changelog/2026-04-14-v2.0.0
+
+### Patch Changes
+
+- Updated dependencies [32617c9]
+- Updated dependencies [32617c9]
+  - @c15t/schema@2.0.0
+  - @c15t/translations@2.0.0
+
+## 2.0.0-rc.10
+
+### Patch Changes
+
+- 9579b62: Add token-first legal-document consent groundwork for `2.0`.
+
+  - `c15t`: expand the unstable policy-consent input types so legal-document writes can prefer `documentSnapshotToken`, fall back to `policyHash`, and keep `policyId` only as a compatibility path.
+  - `@c15t/backend`: update legal-document consent writes to resolve append-only consent against a verified document snapshot token when configured, or against a provided document hash when only lighter-weight release proof is available.
+  - `@c15t/schema`: extend the subject consent schema and error shapes for legal-document snapshot tokens and hash-based legal-document resolution.
+
+- Updated dependencies [9579b62]
+  - @c15t/schema@2.0.0-rc.6
+
 ## 2.0.0-rc.8
 
 ### Minor Changes
@@ -171,7 +197,7 @@
 
 ### Major Changes
 
-- 126a78b: https://v2.c15t.com/changelog/2026-02-12-v2.0.0-rc.0
+- 126a78b: https://c15t.com/changelog/2026-02-12-v2.0.0-rc.0
 
 ### Patch Changes
 

package/README.md

@@ -11,7 +11,7 @@
 
 [![GitHub stars](https://img.shields.io/github/stars/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
 [![CI](https://img.shields.io/github/actions/workflow/status/c15t/c15t/ci.yml?style=flat-square)](https://github.com/c15t/c15t/actions/workflows/ci.yml)
-[![License](https://img.shields.io/badge/license-GPL--3.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg?style=flat-square)](https://github.com/c15t/c15t/blob/main/LICENSE.md)
 [![Discord](https://img.shields.io/discord/1312171102268690493?style=flat-square)](https://c15t.link/discord)
 [![npm version](https://img.shields.io/npm/v/c15t?style=flat-square)](https://www.npmjs.com/package/c15t)
 [![Top Language](https://img.shields.io/github/languages/top/c15t/c15t?style=flat-square)](https://github.com/c15t/c15t)
@@ -116,8 +116,8 @@ Our preference is that you make use of GitHub's private vulnerability reporting
 
 ## License
 
-[GNU General Public License v3.0](https://github.com/c15t/c15t/blob/main/LICENSE.md)
+[Apache License 2.0](https://github.com/c15t/c15t/blob/main/LICENSE.md)
 
 ---
 
-**Built with ❤️ by the [consent.io](https://www.consent.io?utm_source=github&utm_medium=repopage_c15t) team**
+**Built by [Inth](https://inth.com?utm_source=github&utm_medium=repopage_c15t)**

package/dist/index.cjs

@@ -601,14 +601,13 @@ const consent_types_consentTypes = [
     }
 ];
 const allConsentNames = consent_types_consentTypes.map((consent)=>consent.name);
-const version = '2.0.0-rc.8';
 const STORAGE_KEY_V2 = 'c15t';
 const STORAGE_KEY = 'privacy-consent-storage';
 const initial_state_initialState = {
     debug: false,
     config: {
         pkg: 'c15t',
-        version: version,
+        version: "2.0.0",
         mode: 'Unknown'
     },
     consents: consent_types_consentTypes.reduce((acc, consent)=>{
@@ -1768,11 +1767,24 @@ function flattenLayout(layout) {
 }
 function applyPolicyPurposeAllowlist(preferences, allowedPurposeIds) {
     if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return preferences;
-    const allowed = new Set(allowedPurposeIds);
+    const allowed = new Set([
+        'necessary',
+        ...allowedPurposeIds
+    ]);
     const next = {};
     for (const [key, value] of Object.entries(preferences))next[key] = allowed.has(key) ? value : false;
     return next;
 }
+function stripDisallowedPreferenceKeys(preferences, allowedPurposeIds) {
+    if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return preferences;
+    const allowed = new Set([
+        'necessary',
+        ...allowedPurposeIds
+    ]);
+    const next = {};
+    for (const [key, value] of Object.entries(preferences))if (allowed.has(key)) next[key] = value;
+    return next;
+}
 function filterConsentCategoriesByPolicy(categories, allowedPurposeIds) {
     const uniqueCategories = Array.from(new Set(categories));
     if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return uniqueCategories;
@@ -2801,6 +2813,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
     } else if ('necessary' === type) for (const consent of consentTypes)newConsents[consent.name] = true === consent.disabled ? consent.defaultValue : false;
     const policyCategories = getEffectivePolicy(lastBannerFetchData)?.consent?.categories;
     const effectiveConsents = applyPolicyPurposeAllowlist(newConsents, policyCategories);
+    const requestPreferences = stripDisallowedPreferenceKeys(effectiveConsents, policyCategories);
     const didChange = haveConsentsChanged(previousConsents, effectiveConsents, consentTypes);
     const nextConsentCategoryLists = getConsentCategoryLists(effectiveConsents, consentCategories, consentTypes);
     const previousConsentCategoryLists = getConsentCategoryLists(previousConsents, consentCategories, consentTypes);
@@ -2851,7 +2864,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
         const pendingSync = {
             type,
             subjectId,
-            preferences: effectiveConsents,
+            preferences: requestPreferences,
             givenAt,
             jurisdiction: locationInfo?.jurisdiction ?? void 0,
             jurisdictionModel: model,
@@ -2890,7 +2903,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
         body: {
             type: 'cookie_banner',
             domain: window.location.hostname,
-            preferences: effectiveConsents,
+            preferences: requestPreferences,
             subjectId,
             jurisdiction: locationInfo?.jurisdiction ?? void 0,
             jurisdictionModel: model ?? void 0,
@@ -3831,6 +3844,103 @@ const createConsentManagerStore = (manager, options = {})=>{
                     }
                 });
             },
+            unstable_acceptPolicyConsent: async (input)=>{
+                const currentState = get();
+                const currentInfo = currentState.consentInfo;
+                const subjectId = currentInfo?.subjectId ?? generateSubjectId();
+                const storedIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: currentInfo?.externalId,
+                    identityProvider: currentInfo?.identityProvider
+                });
+                const userIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: currentState.user?.id,
+                    identityProvider: currentState.user?.identityProvider
+                });
+                const inputIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: input.externalId,
+                    identityProvider: input.identityProvider
+                });
+                const externalId = inputIdentifiers.externalId ?? storedIdentifiers.externalId ?? userIdentifiers.externalId;
+                const identityProvider = inputIdentifiers.identityProvider ?? storedIdentifiers.identityProvider ?? userIdentifiers.identityProvider;
+                const givenAt = input.givenAt ?? Date.now();
+                const domain = input.domain ?? ("u" > typeof window ? window.location.hostname : 'localhost');
+                const isLegalDocumentType = 'privacy_policy' === input.type || 'terms_and_conditions' === input.type || 'dpa' === input.type;
+                let legalDocumentFields = {};
+                if (isLegalDocumentType) if (input.documentSnapshotToken) legalDocumentFields = {
+                    documentSnapshotToken: input.documentSnapshotToken
+                };
+                else if (input.policyHash) legalDocumentFields = {
+                    policyHash: input.policyHash
+                };
+                else if (input.policyId) legalDocumentFields = {
+                    policyId: input.policyId
+                };
+                else throw new Error('Legal document consent requires documentSnapshotToken, policyHash, or policyId.');
+                const response = await manager.setConsent({
+                    body: {
+                        type: input.type,
+                        subjectId,
+                        domain,
+                        givenAt,
+                        uiSource: input.uiSource ?? 'api',
+                        ...legalDocumentFields,
+                        ...input.metadata ? {
+                            metadata: input.metadata
+                        } : {},
+                        ...input.preferences ? {
+                            preferences: input.preferences
+                        } : {},
+                        ...externalId ? {
+                            externalSubjectId: externalId
+                        } : {},
+                        ...identityProvider ? {
+                            identityProvider
+                        } : {}
+                    }
+                });
+                if (!response.ok || !response.data) {
+                    const errorMsg = response.error?.message ?? 'Failed to accept policy consent';
+                    get().callbacks.onError?.({
+                        error: errorMsg
+                    });
+                    const error = new Error(errorMsg);
+                    error.code = response.error?.code;
+                    error.details = response.error?.details ?? null;
+                    error.status = response.error?.status;
+                    throw error;
+                }
+                const consent = {
+                    ...response.data,
+                    givenAt: response.data.givenAt instanceof Date ? response.data.givenAt : new Date(response.data.givenAt)
+                };
+                const latestState = get();
+                const latestInfo = latestState.consentInfo;
+                const nextConsentInfo = {
+                    ...latestInfo,
+                    time: givenAt,
+                    subjectId,
+                    ...externalId ? {
+                        externalId
+                    } : {},
+                    ...identityProvider ? {
+                        identityProvider
+                    } : {}
+                };
+                set({
+                    consentInfo: nextConsentInfo,
+                    ...externalId ? {
+                        user: {
+                            id: externalId,
+                            identityProvider
+                        }
+                    } : {}
+                });
+                saveConsentToStorage({
+                    consents: latestState.consents,
+                    consentInfo: nextConsentInfo
+                }, void 0, latestState.storageConfig);
+                return consent;
+            },
             setOverrides: async (overrides)=>{
                 set({
                     overrides: {
@@ -3960,7 +4070,7 @@ function getOrCreateConsentRuntime(options, pkgInfo) {
             config: {
                 ...userConfig ?? {},
                 pkg: pkgInfo?.pkg || 'c15t',
-                version: pkgInfo?.version || version,
+                version: pkgInfo?.version || "2.0.0",
                 mode: normalizedMode,
                 meta: {
                     ...userConfig?.meta ?? {},

package/dist/index.js

@@ -525,14 +525,13 @@ const consent_types_consentTypes = [
     }
 ];
 const allConsentNames = consent_types_consentTypes.map((consent)=>consent.name);
-const version = '2.0.0-rc.8';
 const STORAGE_KEY_V2 = 'c15t';
 const STORAGE_KEY = 'privacy-consent-storage';
 const initial_state_initialState = {
     debug: false,
     config: {
         pkg: 'c15t',
-        version: version,
+        version: "2.0.0",
         mode: 'Unknown'
     },
     consents: consent_types_consentTypes.reduce((acc, consent)=>{
@@ -1692,11 +1691,24 @@ function flattenLayout(layout) {
 }
 function applyPolicyPurposeAllowlist(preferences, allowedPurposeIds) {
     if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return preferences;
-    const allowed = new Set(allowedPurposeIds);
+    const allowed = new Set([
+        'necessary',
+        ...allowedPurposeIds
+    ]);
     const next = {};
     for (const [key, value] of Object.entries(preferences))next[key] = allowed.has(key) ? value : false;
     return next;
 }
+function stripDisallowedPreferenceKeys(preferences, allowedPurposeIds) {
+    if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return preferences;
+    const allowed = new Set([
+        'necessary',
+        ...allowedPurposeIds
+    ]);
+    const next = {};
+    for (const [key, value] of Object.entries(preferences))if (allowed.has(key)) next[key] = value;
+    return next;
+}
 function filterConsentCategoriesByPolicy(categories, allowedPurposeIds) {
     const uniqueCategories = Array.from(new Set(categories));
     if (!allowedPurposeIds || 0 === allowedPurposeIds.length || allowedPurposeIds.includes('*')) return uniqueCategories;
@@ -2724,6 +2736,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
     } else if ('necessary' === type) for (const consent of consentTypes)newConsents[consent.name] = true === consent.disabled ? consent.defaultValue : false;
     const policyCategories = getEffectivePolicy(lastBannerFetchData)?.consent?.categories;
     const effectiveConsents = applyPolicyPurposeAllowlist(newConsents, policyCategories);
+    const requestPreferences = stripDisallowedPreferenceKeys(effectiveConsents, policyCategories);
     const didChange = haveConsentsChanged(previousConsents, effectiveConsents, consentTypes);
     const nextConsentCategoryLists = getConsentCategoryLists(effectiveConsents, consentCategories, consentTypes);
     const previousConsentCategoryLists = getConsentCategoryLists(previousConsents, consentCategories, consentTypes);
@@ -2774,7 +2787,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
         const pendingSync = {
             type,
             subjectId,
-            preferences: effectiveConsents,
+            preferences: requestPreferences,
             givenAt,
             jurisdiction: locationInfo?.jurisdiction ?? void 0,
             jurisdictionModel: model,
@@ -2813,7 +2826,7 @@ async function saveConsents({ manager, type, get, set, options, emitConsentChang
         body: {
             type: 'cookie_banner',
             domain: window.location.hostname,
-            preferences: effectiveConsents,
+            preferences: requestPreferences,
             subjectId,
             jurisdiction: locationInfo?.jurisdiction ?? void 0,
             jurisdictionModel: model ?? void 0,
@@ -3754,6 +3767,103 @@ const createConsentManagerStore = (manager, options = {})=>{
                     }
                 });
             },
+            unstable_acceptPolicyConsent: async (input)=>{
+                const currentState = get();
+                const currentInfo = currentState.consentInfo;
+                const subjectId = currentInfo?.subjectId ?? generateSubjectId();
+                const storedIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: currentInfo?.externalId,
+                    identityProvider: currentInfo?.identityProvider
+                });
+                const userIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: currentState.user?.id,
+                    identityProvider: currentState.user?.identityProvider
+                });
+                const inputIdentifiers = sanitizeSubjectIdentifiers({
+                    externalId: input.externalId,
+                    identityProvider: input.identityProvider
+                });
+                const externalId = inputIdentifiers.externalId ?? storedIdentifiers.externalId ?? userIdentifiers.externalId;
+                const identityProvider = inputIdentifiers.identityProvider ?? storedIdentifiers.identityProvider ?? userIdentifiers.identityProvider;
+                const givenAt = input.givenAt ?? Date.now();
+                const domain = input.domain ?? ("u" > typeof window ? window.location.hostname : 'localhost');
+                const isLegalDocumentType = 'privacy_policy' === input.type || 'terms_and_conditions' === input.type || 'dpa' === input.type;
+                let legalDocumentFields = {};
+                if (isLegalDocumentType) if (input.documentSnapshotToken) legalDocumentFields = {
+                    documentSnapshotToken: input.documentSnapshotToken
+                };
+                else if (input.policyHash) legalDocumentFields = {
+                    policyHash: input.policyHash
+                };
+                else if (input.policyId) legalDocumentFields = {
+                    policyId: input.policyId
+                };
+                else throw new Error('Legal document consent requires documentSnapshotToken, policyHash, or policyId.');
+                const response = await manager.setConsent({
+                    body: {
+                        type: input.type,
+                        subjectId,
+                        domain,
+                        givenAt,
+                        uiSource: input.uiSource ?? 'api',
+                        ...legalDocumentFields,
+                        ...input.metadata ? {
+                            metadata: input.metadata
+                        } : {},
+                        ...input.preferences ? {
+                            preferences: input.preferences
+                        } : {},
+                        ...externalId ? {
+                            externalSubjectId: externalId
+                        } : {},
+                        ...identityProvider ? {
+                            identityProvider
+                        } : {}
+                    }
+                });
+                if (!response.ok || !response.data) {
+                    const errorMsg = response.error?.message ?? 'Failed to accept policy consent';
+                    get().callbacks.onError?.({
+                        error: errorMsg
+                    });
+                    const error = new Error(errorMsg);
+                    error.code = response.error?.code;
+                    error.details = response.error?.details ?? null;
+                    error.status = response.error?.status;
+                    throw error;
+                }
+                const consent = {
+                    ...response.data,
+                    givenAt: response.data.givenAt instanceof Date ? response.data.givenAt : new Date(response.data.givenAt)
+                };
+                const latestState = get();
+                const latestInfo = latestState.consentInfo;
+                const nextConsentInfo = {
+                    ...latestInfo,
+                    time: givenAt,
+                    subjectId,
+                    ...externalId ? {
+                        externalId
+                    } : {},
+                    ...identityProvider ? {
+                        identityProvider
+                    } : {}
+                };
+                set({
+                    consentInfo: nextConsentInfo,
+                    ...externalId ? {
+                        user: {
+                            id: externalId,
+                            identityProvider
+                        }
+                    } : {}
+                });
+                saveConsentToStorage({
+                    consents: latestState.consents,
+                    consentInfo: nextConsentInfo
+                }, void 0, latestState.storageConfig);
+                return consent;
+            },
             setOverrides: async (overrides)=>{
                 set({
                     overrides: {
@@ -3883,7 +3993,7 @@ function getOrCreateConsentRuntime(options, pkgInfo) {
             config: {
                 ...userConfig ?? {},
                 pkg: pkgInfo?.pkg || 'c15t',
-                version: pkgInfo?.version || version,
+                version: pkgInfo?.version || "2.0.0",
                 mode: normalizedMode,
                 meta: {
                     ...userConfig?.meta ?? {},

package/dist-types/client/client-factory.d.ts

@@ -82,7 +82,7 @@ export type ConsentManagerOptions = {
      * @remarks
      * When provided, this takes precedence over `store.offlinePolicy`.
      *
-     * @see {@link https://v2.c15t.com/docs/frameworks/javascript/policy-packs}
+     * @see {@link https://c15t.com/docs/frameworks/javascript/policy-packs}
      */
     offlinePolicy?: StoreOptions['offlinePolicy'];
     /**

package/dist-types/index.d.ts

@@ -27,7 +27,7 @@ export { buildPrefetchScript } from './libs/prefetch';
 export { emitScriptDebugEvent, getLoadedScriptIds, isScriptLoaded, loadScripts, type Script, type ScriptDebugAction, type ScriptDebugEvent, type ScriptDebugEventInput, type ScriptDebugListener, type ScriptDebugScope, type ScriptDebugSource, type ScriptLifecycleCallback, subscribeToScriptDebugEvents, unloadScripts, updateScripts, } from './libs/script-loader';
 export { type ConsentRuntimeOptions, type ConsentRuntimePkgInfo, type ConsentRuntimeResult, clearConsentRuntimeCache, getOrCreateConsentRuntime, } from './runtime';
 export { createConsentManagerStore } from './store';
-export type { ActiveUI, ConsentStoreState, InitDataSource, OfflinePolicyConfig, PolicyScopeMode, PolicySurfaceState, PolicyUiAction, PolicyUiActionDirection, PolicyUiActionGroup, PolicyUiProfile, PolicyUiSurfaceConfig, SSRInitialData, SSRInitRequestContext, SSRInitRequestMetadata, SSRSkippedReason, StoreOptions, } from './store/type';
+export type { ActiveUI, ConsentStoreState, InitDataSource, OfflinePolicyConfig, PolicyScopeMode, PolicySurfaceState, PolicyUiAction, PolicyUiActionDirection, PolicyUiActionGroup, PolicyUiProfile, PolicyUiSurfaceConfig, SSRInitialData, SSRInitRequestContext, SSRInitRequestMetadata, SSRSkippedReason, StoreOptions, UnstableGenericPolicyConsentInput, UnstableLegalDocumentConsentInput, UnstablePolicyConsentInput, } from './store/type';
 export { defaultTranslationConfig } from './translations';
 export type { Callback, Callbacks, OnBannerFetchedPayload, OnConsentChangedPayload, OnConsentSetPayload, OnErrorPayload, } from './types/callbacks';
 export type { ConsentBannerResponse, ConsentState, LocationInfo, NamespaceProps, } from './types/compliance';

package/dist-types/libs/policy.d.ts

@@ -20,9 +20,18 @@ export interface PolicyValidationIssue {
  * Any preference key not in `allowedPurposeIds` is forced to `false`.
  * This prevents backend allowlist enforcement errors when clients hold
  * additional consent keys (for example from IAB category mapping).
- * When `allowedPurposeIds` contains `*`, no filtering is applied.
+ * When `allowedPurposeIds` contains `*`, no filtering is applied. `necessary`
+ * is always retained.
  */
 export declare function applyPolicyPurposeAllowlist<T extends Record<string, boolean>>(preferences: T, allowedPurposeIds?: string[]): T;
+/**
+ * Strips preference keys that are outside the active policy allowlist.
+ *
+ * Use this for API payloads when the backend enforces strict purpose scope and
+ * rejects unknown preference keys entirely. `necessary` is always retained to
+ * stay aligned with `applyPolicyPurposeAllowlist()`.
+ */
+export declare function stripDisallowedPreferenceKeys<T extends Record<string, boolean>>(preferences: T, allowedPurposeIds?: string[]): Partial<T>;
 /**
  * Filters consent categories against a policy purpose allowlist.
  *

package/dist-types/libs/save-consents.d.ts

@@ -15,7 +15,7 @@ export interface PendingConsentSync {
     subjectId: string;
     externalId?: string;
     identityProvider?: string;
-    preferences: ConsentState;
+    preferences: Partial<ConsentState>;
     givenAt: number;
     jurisdiction?: string;
     jurisdictionModel?: string | null;

package/dist-types/store/type.d.ts

@@ -2,7 +2,7 @@
  * @packageDocumentation
  * Defines the core types and interfaces for the consent management store.
  */
-import type { Branding, InitOutput, PolicyConfig, PolicyScopeMode, PolicyUiAction, PolicyUiActionDirection, PolicyUiActionGroup, PolicyUiProfile, PolicyUiSurfaceConfig } from '@c15t/schema/types';
+import type { Branding, InitOutput, PolicyConfig, PolicyScopeMode, PolicyUiAction, PolicyUiActionDirection, PolicyUiActionGroup, PolicyUiProfile, PolicyUiSurfaceConfig, PostSubjectOutput } from '@c15t/schema/types';
 import type { Model } from '../libs/determine-model';
 import type { StorageConfig } from '../libs/cookie';
 import type { HasCondition } from '../libs/has';
@@ -48,6 +48,53 @@ export interface PolicySurfaceState {
     /** Scroll lock hint from backend runtime policy. */
     scrollLock?: boolean;
 }
+type RequireAtLeastOne<T, Keys extends keyof T = keyof T> = Keys extends keyof T ? Required<Pick<T, Keys>> & Partial<Omit<T, Keys>> : never;
+/**
+ * Experimental input for legal-document consent writes.
+ *
+ * @remarks
+ * Preferred identifier flow:
+ * - `documentSnapshotToken` for authoritative, signed release metadata
+ * - `policyHash` when the caller only knows the rendered document hash
+ * - `policyId` only as a compatibility fallback for older backends
+ *
+ * @experimental
+ */
+type UnstableLegalDocumentConsentInputBase = {
+    type: 'privacy_policy' | 'terms_and_conditions' | 'dpa';
+    policyId?: string;
+    policyHash?: string;
+    documentSnapshotToken?: string;
+    domain?: string;
+    givenAt?: number;
+    metadata?: Record<string, unknown>;
+    preferences?: Record<string, boolean>;
+    uiSource?: string;
+    externalId?: string;
+    identityProvider?: string;
+};
+export type UnstableLegalDocumentConsentInput = UnstableLegalDocumentConsentInputBase & RequireAtLeastOne<Pick<UnstableLegalDocumentConsentInputBase, 'policyId' | 'policyHash' | 'documentSnapshotToken'>>;
+/**
+ * Experimental input for non-legal policy consent writes.
+ *
+ * @experimental
+ */
+export interface UnstableGenericPolicyConsentInput {
+    type: 'marketing_communications' | 'age_verification' | 'other';
+    domain?: string;
+    givenAt?: number;
+    metadata?: Record<string, unknown>;
+    preferences?: Record<string, boolean>;
+    uiSource?: string;
+    externalId?: string;
+    identityProvider?: string;
+}
+/**
+ * Experimental input for policy-based consent writes.
+ *
+ * @experimental
+ */
+export type UnstablePolicyConsentInput = UnstableLegalDocumentConsentInput | UnstableGenericPolicyConsentInput;
 /**
  * Offline policy preview payload for the headless runtime.
  *
@@ -61,8 +108,8 @@ export interface PolicySurfaceState {
  *   resolve it locally
  * - `policy` / `policyDecision`: inject a fully synthetic resolved result
  *
- * @see {@link https://v2.c15t.com/docs/frameworks/javascript/policy-packs}
- * @see {@link https://v2.c15t.com/docs/frameworks/react/concepts/policy-packs}
+ * @see {@link https://c15t.com/docs/frameworks/javascript/policy-packs}
+ * @see {@link https://c15t.com/docs/frameworks/react/concepts/policy-packs}
  */
 export type OfflinePolicyConfig = {
     /**
@@ -440,7 +487,7 @@ export interface StoreOptions extends Partial<StoreConfig> {
      *
      * Ignored in hosted/custom modes.
      *
-     * @see {@link https://v2.c15t.com/docs/frameworks/javascript/policy-packs}
+     * @see {@link https://c15t.com/docs/frameworks/javascript/policy-packs}
      */
     offlinePolicy?: OfflinePolicyConfig;
     /**
@@ -646,6 +693,12 @@ export interface StoreActions {
      * @throws {Error} When the underlying identify-user request fails
      */
     identifyUser: (user: User) => Promise<void>;
+    /**
+     * Writes a policy-based consent such as terms and conditions.
+     *
+     * @experimental
+     */
+    unstable_acceptPolicyConsent: (input: UnstablePolicyConsentInput) => Promise<PostSubjectOutput>;
     /**
      * Updates the selected consent state for a specific consent type.
      *

package/dist-types/version.d.ts

@@ -1 +1 @@
-export declare const version = "2.0.0-rc.8";
+export declare const version = "2.0.0";

package/docs/concepts/client-modes.md

@@ -15,7 +15,7 @@ c15t supports three client modes that determine how consent data is stored and s
 
 ## Hosted Mode (Recommended)
 
-The default mode. Connects to a c15t backend for full consent lifecycle management. We recommend using [consent.io](https://consent.io) for a fully managed experience, but you can [self-host](/docs/self-host) as well.
+The default mode. Connects to a c15t backend for full consent lifecycle management. We recommend using [inth.com](https://inth.com) for a fully managed experience, but you can [self-host](/docs/self-host) as well.
 
 > ℹ️ **Info:**
 > mode: 'hosted' is the preferred value. The legacy alias mode: 'c15t' is still supported for backward compatibility.

package/docs/concepts/policy-packs.md

@@ -8,7 +8,7 @@ A policy pack is an ordered array of policies. Each policy targets a region or c
 
 There are three ways to configure policy packs:
 
-1. **consent.io (recommended)** — use [consent.io](https://consent.io) as your hosted backend. Configure packs visually in the dashboard or via API — no code changes required. Works with any frontend, including static sites.
+1. **inth.com (recommended)** — use [inth.com](https://inth.com) as your hosted backend. Configure packs visually in the dashboard or via API — no code changes required. Works with any frontend, including static sites.
 2. **Self-hosted backend** — define packs in code via `policyPacks` and resolve them from real request geo data. Full control over policy logic and storage.
 3. **Offline fallback** — pass the same policy shapes to the frontend via `offlinePolicy.policyPacks`. Use this mainly for local development, demos, deterministic testing, or resilience when the backend is temporarily unreachable. If you omit `offlinePolicy.policyPacks`, c15t falls back to a synthetic worldwide opt-in banner instead of no-banner mode.
 

package/docs/iab/overview.md

@@ -15,12 +15,12 @@ When your site participates in the IAB ecosystem (ad exchanges, SSPs, DSPs, DMPs
 
 ## CMP Registration
 
-[consent.io](https://consent.io) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when you use consent.io as your backend, the correct CMP ID will be automatically provided to your client via the `/init` endpoint — no client-side configuration needed.
+[inth.com](https://inth.com) is pending validation as an IAB Europe-registered CMP for c15t. Once approved, when you use inth.com as your backend, the correct CMP ID will be automatically provided to your client via the `/init` endpoint — no client-side configuration needed.
 
 If you self-host the c15t backend and have your own CMP registration with IAB Europe, you can configure your CMP ID on the backend via `advanced.iab.cmpId` or on the client via the `iab.cmpId` option. A valid (non-zero) CMP ID is required for IAB TCF compliance.
 
 > ℹ️ **Info:**
-> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components), you cannot use consent.io's CMP ID. You must register your own CMP with IAB Europe and use your own CMP ID.
+> If you heavily customize or build your own IAB banner or dialog (rather than using the default IABConsentBanner and IABConsentDialog components), you cannot use inth.com's CMP ID. You must register your own CMP with IAB Europe and use your own CMP ID.
 
 ## How c15t Implements TCF
 
@@ -40,17 +40,17 @@ Enable IAB TCF in the runtime options:
 
 ```ts
 import { getOrCreateConsentRuntime } from 'c15t';
+import { iab } from '@c15t/iab';
 
 const { consentStore } = getOrCreateConsentRuntime({
   mode: 'hosted',
   backendURL: 'https://your-instance.c15t.dev',
-  iab: {
-    enabled: true,
+  iab: iab({
     vendors: [1, 2, 10, 25],  // IAB vendor IDs you work with
-    // cmpId is automatically provided by the backend (consent.io).
+    // cmpId is automatically provided by the backend (inth.com).
     // Only set this if you have your own CMP registration with IAB Europe.
     // cmpId: 123,
-  },
+  }),
 });
 ```
 
@@ -91,14 +91,13 @@ window.__tcfapi('getTCData', 2, (tcData, success) => {
 
 ## IAB Configuration Options
 
-The `iab` option on the provider accepts:
+Configure IAB mode with `iab({ ... })` from `@c15t/iab`. The factory enables the addon and injects the runtime module automatically. The user-facing options are:
 
 |Option|Type|Description|
 |--|--|--|
-|`enabled`|`boolean`|Enable IAB TCF mode|
-|`cmpId`|`number`|CMP ID registered with IAB Europe. Automatically provided by the backend when using consent.io. Only set this if you have your own CMP registration.|
+|`cmpId`|`number`|CMP ID registered with IAB Europe. Automatically provided by the backend when using inth.com. Only set this if you have your own CMP registration.|
 |`vendors`|`number[]`|IAB vendor IDs that your site works with|
-|`nonIABVendors`|`NonIABVendor[]`|Custom vendors not in the IAB registry|
+|`customVendors`|`NonIABVendor[]`|Custom vendors not in the IAB registry|
 
 ## Key Concepts
 

package/docs/internationalization.md

@@ -10,7 +10,7 @@ There are two ways c15t can load translations: client-side or server-side.
 
 |Server-side|Client-side|
 |--|--|
-|The best way to reduce bundle size and improve performance. We can detect the user's language based on the browser's language settings, allowing for the most accurate translations. By default, when using a [consent.io](https://consent.io) hosted instance, [these languages](https://github.com/c15t/c15t/tree/main/packages/translations/src/translations) are supported.|Bundled with the application allowing for multiple languages to be supported without the need for a backend. The more translations you have, the larger the bundle size will be, which may impact the performance of your application.|
+|The best way to reduce bundle size and improve performance. We can detect the user's language based on the browser's language settings, allowing for the most accurate translations. By default, when using a [inth.com](https://inth.com) hosted instance, [these languages](https://github.com/c15t/c15t/tree/main/packages/translations/src/translations) are supported.|Bundled with the application allowing for multiple languages to be supported without the need for a backend. The more translations you have, the larger the bundle size will be, which may impact the performance of your application.|
 
 ## Basic Configuration
 

package/docs/quickstart.md

@@ -126,10 +126,10 @@ Install c15t agent skills to let AI agents help with styling, i18n, scripts & ot
 
 |Package manager|Command|
 |:--|:--|
-|npm|`npx @c15t/cli@rc skills`|
-|pnpm|`pnpm dlx @c15t/cli@rc skills`|
-|yarn|`yarn dlx @c15t/cli@rc skills`|
-|bun|`bunx @c15t/cli@rc skills`|
+|npm|`npx @c15t/cli skills`|
+|pnpm|`pnpm dlx @c15t/cli skills`|
+|yarn|`yarn dlx @c15t/cli skills`|
+|bun|`bunx @c15t/cli skills`|
 
 See [AI Agents](/docs/ai-agents) for bundled package docs and agent skills.
 

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "c15t",
-	"version": "2.0.0-rc.8",
+	"version": "2.0.0",
 	"description": "Developer-first CMP for JavaScript: cookie banner, consent manager, preferences centre. GDPR ready with minimal setup and rich customization",
 	"keywords": [
 		"nextjs",
@@ -26,7 +26,7 @@
 		"url": "https://github.com/c15t/c15t.git",
 		"directory": "packages/core"
 	},
-	"license": "GPL-3.0-only",
+	"license": "Apache-2.0",
 	"type": "module",
 	"exports": {
 		".": {
@@ -64,12 +64,12 @@
 		"not op_mini all"
 	],
 	"dependencies": {
-		"@c15t/schema": "2.0.0-rc.5",
-		"@c15t/translations": "2.0.0-rc.8",
+		"@c15t/schema": "2.0.0",
+		"@c15t/translations": "2.0.0",
 		"zustand": "5.0.12"
 	},
 	"devDependencies": {
-		"@c15t/typescript-config": "0.0.1-beta.1",
+		"@c15t/typescript-config": "0.0.1",
 		"@c15t/vitest-config": "1.0.0",
 		"genversion": "3.2.0",
 		"vitest-localstorage-mock": "0.1.2"